Читать книгу Tribe of Hackers Red Team - Marcus J. Carey - Страница 16

“From my perspective, the best way to get a red team job is to get involved in the red team community.”

Twitter: @ronaldeddings

Ronald Eddings is a Silicon Valley–based cybersecurity expert, blogger, and digital nomad whose ingenuity, dedication, and ambition have all earned him a reputation as a trusted industry leader. Over the course of his career, Ronald has garnered extensive experience working at various Fortune 500 companies and mentoring a multitude of fellow professionals. In addition to cybersecurity, he is well versed in software development, DevOps, and artificial intelligence. Currently, Ronald serves as a cyber fusion engineer at a cybersecurity startup and is an active contributor to several open source projects. He also holds a bachelor of science degree in information technology and an array of cybersecurity certifications.

How did you get your start on a red team?

My experience with red team, pentesting, and offensive operations came in phases. Before starting my career, I had a fortunate opportunity and became connected with hackers in the InfoSec community by being in the right places at the right times. When I first met Marcus J. Carey, I was still in high school and happened to be reading my first book on Linux.

Through Marcus, I met other hackers like Johnny Long, Marco Figueroa, Joe McCray, and many more. Through seeking and receiving mentorship, I learned that I could thrive in the field, and there was nothing in my way except for reading the material and understanding that mastery does not come all at once. At the time, there were not as many jobs for red teaming, pentesting, or anything attack related. Initially, I spent a great amount of time learning about how devices communicate and how to code in Python, JavaScript, and Ruby. Coincidentally, building a foundation of knowledge in those areas happened to be what the industry was looking for. Learning these topics did not come with ease but did make for a better time when interviewing and striving for my degree. While attending community college, I submerged myself in the newly organized InfoSec club and competed at events like Collegiate Cyber Defense Competition (CCDC). After mentioning my experiences to my college professor, I learned that he was a senior associate at Booz Allen Hamilton and recently opened a job requirement for a red team. Fortunately, I had stayed close with the idea that mastery does not come overnight and had been consistently making an attempt to become more versatile in the tools and programming languages available. When the time came to interview, I did everything to prepare—great meal, full night of rest, and showing up early to the interview. Since I was prepared and also had a reference, the opportunity was serendipitous and less stressful.

What is the best way to get a red team job?

From my perspective, the best way to get a red team job is to get involved in the red team community. There are many public events, conferences, and meetups that happen in various cities and online. It can also be a great start to participate and volunteer at conferences. This could be a significant start to diversify your peer group and ultimately strengthen your skills. Another strategy to get involved is to participate in CTFs and other public challenges. Practicing your craft for a set amount of time with a new set of challenges always goes a long way.

How can someone gain red team skills without getting in trouble with the law?

There has never been a better time to ethically obtain red team skills. Virtualization enables practitioners and enthusiasts to rapidly deploy infrastructure and applications. Today, my personal preference is Docker, which assists in creating a playground to attack devices and try new tools on various operating systems. To get started, there are many resources available such as books (e.g., Tribe of Hackers), online courses, conferences, and much more. My recommendation would be to become curious about what makes technology vulnerable and how to protect against attacks.

Why can’t we agree on what a red team is?

It’s probably a good thing that there are differences in red team definitions. Challenging current assumptions and searching for new solutions are what a red team is built on. I promote and encourage following a standard or setting out for a more optimal solution, since each organization has different requirements.

What is one thing the rest of information security doesn’t understand about being on a red team? What is the most toxic falsehood you have heard related to red, blue, or purple teams?

A falsehood that I hear commonly is that a team has a single or few purposes. Red, blue, and purple teams have overlapping responsibilities with several teams. In fact, there are some red teamers who are doing more blue team work due to a lack of blue team resources. What can be toxic is attempting to stick to a single lane and not completely participating with the organization as a whole.

When should you introduce a formal red team into an organization’s security program?

It can be difficult to determine when is a good time to introduce a red team into an organization. I’d measure a few key things: I’d assess if an organization had an incident response plan. If so, I’d ask, does the organization have a team to gather data and respond to such incidents? Lastly, I’d ask, does the organization have the capability and tools to eliminate and proactively protect against threats? If all of these are true, it may be time to introduce a red team. I’ve seen organizations invest in an existing team member to go to conferences and trainings to assist in building a new red team, which can go a long way if done with care.

How do you explain the value of red teaming to a reluctant or nontechnical client or organization?

With the growth and demand for InfoSec practitioners, red teams are appearing and growing to a larger size. Articulating the value of a red team is best done when threat research is done in concert. A red team that understands threats can perform more realistic tests based on previous attacks and events. Through documentation, it can be trivial to share details and metrics on what an organization is vulnerable to.

What is the least bang-for-your-buck security control that you see implemented?

To reverse the question, the most bang-for-your-buck control would be training. It’s easy to buy a product and hope that it works. Vulnerabilities often exist because of a lack of training or hard-to-follow processes. Receiving training and optimizing processes go a tremendous way. As mundane as it may sound, regular security awareness training is effective—and serves as a precursor to red team tests.

Have you ever recommended not doing a red team engagement?

My background is working with larger organizations, which I’ve always found needing/requiring a red team engagement. The attack surface/landscape has grown by several orders of magnitude and is proof that security integration is continuous and ongoing. With the rise of applications, APIs, and IoT devices, there are always quite a few red flags identified. Red teams can help flag and assess these vulnerabilities to ensure other attackers are not taking advantage of such issues.

What’s the most important or easiest-to-implement control that can prevent you from compromising a system or network?

A firewall. There’s very little reason for many ports to be able to communicate outside of your organization. Most modern firewalls can also assist with creating rules that block malformed application requests.

Additionally, a firewall works great for blocking known bad addresses and other artifacts based on signatures and other techniques. As an organization matures, a firewall is a keystone resource to collect logs from.

Why do you feel it is critical to stay within the rules of engagement?

Red teams are being formed at organizations at an increasing rate because of the value that they can bring. Rules of engagement can help ensure a successful red team engagement in a production network. Existing outside the rules of engagement could lead to loss of profit and trust for an organization. More specifically, crashing an application or service that generates revenue for an organization is bad news for everyone. Rules of engagement are expectations that are set and agreed upon. If boundaries need to be adjusted, a professional red team will contact customers or stakeholders to adjust accordingly.

If you were ever busted on a penetration test or other engagement, how did you handle it?

Fortunately, I’ve never been completely busted. However, I have made several messy mistakes creating logs in sources I did not want to be seen in. More specifically, crashing an application can be an attacker’s worst nightmare. When critical services crash, there are many logs created in several sources. It’s the attacker’s responsibility to clean up after themselves. I’ve had a few engagements where I’ve given an engineer a perfect opportunity to upgrade by crashing a service—which ultimately led to a patched vulnerability. If engineers have verbose logging enabled, there’s a possibility that your payload will be revealed and give away the fact that an attack is underway. In situations like this, I make it my mission to find an alternative route for exploitation to ensure that I can clean up my logs and restart crashed services.

What is the biggest ethical quandary you experienced while on an assigned objective?

The biggest ethical quandary I face is teaching exploitation. With great exploits come great responsibilities. I spend part of my time teaching educational content on YouTube, with a portion of it being exploitation. While teaching this skill, I put in extra effort to narrow the focus on professionals in the InfoSec field and avoid viewers who are searching How to Hack {Favorite Website Goes Here}.

How does the red team work together to get the job done?

The red teams that show the most value are the teams that have great documentation practices. Detailed documentation leads to detailed reports and less stress at the end of an engagement. Taking the time to document your work is a team sport in itself. Just one individual not providing detailed documentation could mean missed learning opportunities for the entire team and less understanding of what was completed for the customer. Lastly, if the results are documented well enough, then debriefing blue teams will be a lot more straightforward.

What is your approach to debriefing and supporting blue teams after an operation is completed?

Before an engagement, I work with my customer or organization to set expectations and document each phase of my work. Assuming expectations are set beforehand, it’s easier to collect data/create metrics on what is important. My approach to debriefing is typically sharing details on three pillars: evaluation, scoring/severity, and recommended fixes. My experience with organizations has been ongoing, and I’ve been frequently involved in applying the fix and assisting onboarding new application builds.

If you were to switch to the blue team, what would be your first step to better defend against attacks?

I find myself constantly working with teams focused on defense. There is an abundance of applications with open source packages and libraries. When I’m able to find vulnerabilities in source code, I work closely with engineers to patch and with blue teams to search for activity. After finding vulnerabilities, I enjoy hunting for evidence of similar discoveries. My recommendation for defense is to set up perimeters. It’s vital to set up strong perimeters around your critical assets and entire organization.

Through this process, it’s important to remember that security is ongoing and can’t be solved in a single day. Sometimes turning on an alert will lead to an influx of events/incidents—it takes time to tune alerts and triggers. This should not be discouraging.

What is some practical advice on writing a good report?

Writing a report can seem like a daunting task if you’ve had negative experiences in the past. For a while, writing was something that I thought I couldn’t get excited about. I learned that it’s all about mind-set. By framing the work as valuable and exciting, I’ve made documentation and reporting the favorite aspects of my job. I’ve also learned it’s the easiest way to show long-term value. I recommend shifting to a positive mind-set, making it fun, and being proud of the work. Documentation and reporting are the trophy case to your hard work.

How do you ensure your program results are valuable to people who need a full narrative and context?

Ensuring value can mean many things. It’s important to first know what is the metric for your team’s value. If your team is being measured on a number of engagements per year, then begin collecting that data on that metric and similar metrics. If a red team and blue team are working cohesively as a unit, then each engagement will introduce new results, and the data will reinforce this. If your red team is finding similar or identical findings each engagement, this is a cautionary sign that all teams are not working closely together or the importance is not being highlighted correctly. This is a great opportunity to get involved and provide more contextual information related to findings.

How do you recommend security improvements other than pointing out where it’s insufficient?

Outside of basic security recommendations, it’s vital to search for the root cause of what introduced a vulnerability. Introduce questions such as these: Is it a software issue? Is it an untrained engineer? Is there an organizational process that’s delaying teams from patching? More insightful questions will establish more trust with the customer and make for more interesting red team engagements in the future.

What nontechnical skills or attitudes do you look for when recruiting and interviewing red team members?

I’ve spent most of my career working on larger teams, and I typically look for candidates with eagerness to work with a team. More specifically, I select candidates who can leverage other team members for help. I’m also an advocate of pair programming, hunting, and red teaming. The most beneficial nontechnical skill I find for the red team is the ability to ask questions. Thoughtful questions can satisfy and lead to more positive curiosity.

What differentiates good red teamers from the pack as far as approaching a problem differently?

What differentiates the best from the pack are habits. Acquiring the skills to become exceptional takes time and requires consistency. Often you see the greatest red teamers consistently attending the same meetings and conferences that help them continually succeed and avoiding bad agreements. It’s most beneficial to prioritize what’s most important and avoid distractions while learning and completing tasks. ■